Twitter disclosed that a ‘security incident’ caused private tweets sent to Twitter Circles to show publicly to users outside of the Circle.
Twitter Circle is a feature released in August 2022 that allows users to send tweets to a small circle of people, promising to keep them private from the public.
“Twitter Circle is a way to send Tweets to select people, and share your thoughts with a smaller crowd,” reads Twitter’s description of the privacy feature.
“You choose who’s in your Twitter Circle, and only the individuals you’ve added can reply to and interact with the Tweets you share in the circle.”
However, around April 7th, Twitter users began warning that tweets to Twitter Circles were no longer private and shown publicly to people outside of the Circle in their timelines.
In a notification sent to impacted users yesterday, Twitter says a ‘security incident’ is behind the public display of private Twitter Circle tweets.
“We’re contacting you because your Twitter account may have been potentially impacted by a security incident that occurred earlier this year (April 2023)”, reads a security incident notification sent by Twitter yesterday.
“In April 2023, a security incident may have allowed users outside of your Twitter Circle to see tweets that should have otherwise been limited to the Circle to which you were posting. This issue was identified by our security team and immediately fixed so that these tweets were no longer visible outside of your Circle.”
“We’ve conducted a thorough investigation to understand how this occurred and have addressed this issue. Twitter is committed to protecting the privacy of the people who use our service, and we understand the risks that an incident like this can introduce and we deeply regret this happened.”
While Twitter did not share what caused this security incident, the social site has rapidly changed the platform since Elon Musk took ownership.
Many of these changes revolved around increasing tweets’ exposure via Twitter’s recommendation algorithm, which Musk said in late March would be updated every 28 to 48 hours.
BleepingComputer contacted Twitter to learn more about the security incident and will update the article if we receive a response.